We have successfully managed to create a telnet-enabled firmware for the LS-GL. Fortunately for us, the LS-GL already came with a telnet binary in the stock firmware. Telnet can be enabled by uncommenting line 42 in /etc/init.d/rcS and repackaging hddrootfs.

+

+

There is a pre-made telnet enabled firmware available at [http://downloads.linkstationwiki.net/arm9-LS_Pro/telnet_enabled_no_root_password/LSPro-103.2.zip here].

+

+

'''Note:''' The above firmware package ''does'' enable root access.

+

+

=Removing Root Password=

+

There are two known successful ways for removing the root password. You can euse the "manual method" or uses a special "clearroot" method (The telnet enabled firmware contains the "clearroot" method). Possibly a third method is to use the firmware updater's debug tags.

+

===Manual Method===

+

The general idea is to open connect the sata drive to a desktop running a linux distribution (i.e. Knoppix or Ubuntu). Then remove root password in /etc/shadow.

2) Find out how it was recognized. (i.e. in Knoppix there are some shortcuts on the desktop).

+

+

3) Open a shell/commandline/terminal.

+

+

4) Mount the second partition of the sata hdd to somewhere.

+

+

5) Delete everything on the partition

+

+

6) Download the telnet enabled hddrootfs.img located in this [http://downloads.linkstationwiki.net/arm9-LS_Pro/telnet_enabled_no_root_password/LS-GL-103.zip zip]

+

+

7) Unzip hddrootfs.img...you will be prompted for a password.

+

it is:

+

IeY8omJwGlGkIbJm2FH_MV4fLsXE8ieu0gNYwE6Ty

+

+

8) Untar the resulting file to the second partition:

+

tar xzvf <file> <path_where_you_mounted_the_second_partition>

+

+

9*) mount /dev/sda1 (assuming the sata drive is the first special drive connected on the pc) somewhere

+

*extract conf_saved.tgz, remove password in etc/shadow to look like:

+

root::11009:0:99999:7:::

+

+

10*) re-tar the contents of conf_saved.tgz, replace conf_saved.tgz to /dev/sda1,

+

umount

+

+

+

(*)These steps still need to be tested further!!!

+

*Steps originally drafted by mindbender.

+

+

===Heinz' Method===

+

Heinz made a script to automatically convert a downloaded stock firmware into a telnet enabled firmware with root access. The script is made for the German firmware. The script is available [http://downloads.linkstationwiki.net/arm9-LS_Pro/telnet_enabled_no_root_password/enable-telnet.sh here]. Heinz also made a pre-made firmware package with his script. It can be downloaded [http://downloads.linkstationwiki.net/arm9-LS_Pro/telnet_enabled_no_root_password/LS-GL_FW_103-modified.zip here].

+

*'''Testing Needed'''

+

+

The script mainly does the following things:

+

+

* retrieving the actual firmware update from the buffalo site.

+

* unzip the archive to a tmp directory

+

* modify linkstation_version, because the updater only updates "newer" firmwares. It seems this can be overwritten in the debug mode (see georg's changes)

+

* for modifing the installed image. it is unzipped (using the current password)

+

* then to start the (already installed) telnetd, some comments in the rcS script are removed.

+

* because the password of the root login is not known, it needs to be removed. Modifing /etc/shadow had not worked, so currently we change the web interface, which runs with root permissions, to do it for us.

Georg modified Heinz' automatic script. For those with access, the script it is available in [http://downloads.linkstationwiki.net/uploads/LS_Pro_temporary/telnet_enabled_no_root_password/ LS_Pro Temporary Upload Folder for Telnet Enabled Firmwares]

+

The script untars the firmware, sets the current dates in linkstation_version.txt (allows exchange of kernel etc.) and adds the debug flag for LSUpdater.exe. Further telnetd is started during boot and the web interface scripts are altered in order to clear the root password when "creating" user 'clearroot'.

+

Thanks to MartinP, the latest version uses the correct path to passwd (/usr/sbin). It also offers command line parameters to exchange kernel, uboot and untar an additional tar file into the root file system (see option -h).

+

*'''Testing Needed'''

+

=====Instructions=====

+

Run the script as user root, if the zipped firmware file is not present, the script tries to get it from buffalos server. If you don't want the script to delete the temporary directory (e.g. to directly run LSUpdater.exe or for further modifications) add option -d.

+

====acp_commander====

+

Buffalos updater software LSUpdater.exe uses ACP commands to communicate with the box. Upon writing a java software (acp_commander) that uses this communication path Georg accidentally found a bug in the Linkstations software. Sending a mailformed ACP_CMD disables the whole authentication process buffalo implemented. After that it is possible to send ACP_CMD's starting telnetd and removing the root password.

+

*'''Testing Needed'''

+

=====Instructions=====

+

'''This is not fully tested and might brick your linkstation!'''

+

+

Run the jar with the option -o for opening (telnet, clear root password) the target -t:

+

+

java -jar acp_commander.jar -t linkstation -o

+

[[Category:LSPro]]

[[Category:LSPro]]

[[Category:Howto]]

[[Category:Howto]]

[[Category:Software]]

[[Category:Software]]

Revision as of 22:24, 31 August 2007

I just bought another LS(Live) & wanted to have it open (SSH), as close to a stock firmware box as I could for testing.
There are a few fixes that should be added too.

I'll be referencing a few links to a few wiki/web articles as long as some user posts. Hopefully this will cover most of what is needed. As always I'm human & can make some mistakes. If you see anything that seems a bit odd, change it.

This may not happen straight away. However I have only ever had to do it a maximum of twice.

Your Linkstation should now have the telnet daemon enabled. User "root" will have a null (Blank) root password, until you change it. The telnet daemon will be available until you reboot your Linkstation.

Enable your firewall. (If applicable)

Now you can login to your Linkstation with telnet.

Connect with Telnet

Enter the following (Replacing <IP ADDRESS> with the IP Address of your Linkstation)

telnet <IP ADDRESS>

and login with "root" No password should be asked.

Securing

First thing you want to do is set the root password & secure your Linkstation from unwanted users.

Enter the following.

passwd

You will be promted with the following.

Changing password for root
Enter the new password (minimum of 5, maximum of 20 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:

Enter your new password, press enter. You will be then promted with:

Re-enter new password:

Re-enter your new password. Press enter. If your passwords match (C'mon it aint hard), you will get the following notifiction:

Password changed.

Create a startup script & config for sshd.

If you want to leave telnet as the preferred way of connecting then you don't have to do this. Skip to section: Adding Telnet/SSHD to your start up script (rcS)

The stock firmware does have the sshd binaries included. The following section will allow you to create a startup script for this.

Config

Now we need to create the config. I will use an example of a basic config to allow you access. You can add the relevant sections the you want. More info can be found http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
There already exists a config file for sshd, this has nothing enabled. We will make a backup copy of this before editing.
Enter the following:

Optional Files & Fixes

Time discrepancies

Some might notice in their logs that there are some errors with backups, system time etc. The reason for this is the hardware clock is not updated by sytem time. The file time_set.sh is missing. http://bugtracker.linkstationwiki.net/view.php?id=113
This can be resolved by creating a symlink to set_time.sh

Daemonwatch.. Adding sshd.

For those that have taken the option to have sshd as their preferred way of connecting to their Linkstation. sshd can be added to the daemonwatch list, if it falls over for any reason it will be respawned.

You should then be disconnected from your ssh session.
The daemonwatch process should have detected that sshd has stopped & restarted. You should now be able to log back in.. However if not.. You have your telnet access to fall back on & investigate.
In '/var/log/linkstation.log' you should see the following entry.

Telnet Access

We have successfully managed to create a telnet-enabled firmware for the LS-GL. Fortunately for us, the LS-GL already came with a telnet binary in the stock firmware. Telnet can be enabled by uncommenting line 42 in /etc/init.d/rcS and repackaging hddrootfs.

Removing Root Password

There are two known successful ways for removing the root password. You can euse the "manual method" or uses a special "clearroot" method (The telnet enabled firmware contains the "clearroot" method). Possibly a third method is to use the firmware updater's debug tags.

Manual Method

The general idea is to open connect the sata drive to a desktop running a linux distribution (i.e. Knoppix or Ubuntu). Then remove root password in /etc/shadow.

Heinz' Method

Heinz made a script to automatically convert a downloaded stock firmware into a telnet enabled firmware with root access. The script is made for the German firmware. The script is available here. Heinz also made a pre-made firmware package with his script. It can be downloaded here.

Testing Needed

The script mainly does the following things:

retrieving the actual firmware update from the buffalo site.

unzip the archive to a tmp directory

modify linkstation_version, because the updater only updates "newer" firmwares. It seems this can be overwritten in the debug mode (see georg's changes)

for modifing the installed image. it is unzipped (using the current password)

then to start the (already installed) telnetd, some comments in the rcS script are removed.

because the password of the root login is not known, it needs to be removed. Modifing /etc/shadow had not worked, so currently we change the web interface, which runs with root permissions, to do it for us.

Instructions

Georg's Method

Script method

Georg modified Heinz' automatic script. For those with access, the script it is available in LS_Pro Temporary Upload Folder for Telnet Enabled Firmwares
The script untars the firmware, sets the current dates in linkstation_version.txt (allows exchange of kernel etc.) and adds the debug flag for LSUpdater.exe. Further telnetd is started during boot and the web interface scripts are altered in order to clear the root password when "creating" user 'clearroot'.
Thanks to MartinP, the latest version uses the correct path to passwd (/usr/sbin). It also offers command line parameters to exchange kernel, uboot and untar an additional tar file into the root file system (see option -h).

Testing Needed

Instructions

Run the script as user root, if the zipped firmware file is not present, the script tries to get it from buffalos server. If you don't want the script to delete the temporary directory (e.g. to directly run LSUpdater.exe or for further modifications) add option -d.

acp_commander

Buffalos updater software LSUpdater.exe uses ACP commands to communicate with the box. Upon writing a java software (acp_commander) that uses this communication path Georg accidentally found a bug in the Linkstations software. Sending a mailformed ACP_CMD disables the whole authentication process buffalo implemented. After that it is possible to send ACP_CMD's starting telnetd and removing the root password.

Testing Needed

Instructions

This is not fully tested and might brick your linkstation!

Run the jar with the option -o for opening (telnet, clear root password) the target -t: